From owner-freebsd-fs@freebsd.org Sat May 14 18:26:40 2016 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8FE2B3B345 for ; Sat, 14 May 2016 18:26:40 +0000 (UTC) (envelope-from quazinode@gmail.com) Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5E6B214A8 for ; Sat, 14 May 2016 18:26:40 +0000 (UTC) (envelope-from quazinode@gmail.com) Received: by mail-lb0-x229.google.com with SMTP id h1so37205867lbj.3 for ; Sat, 14 May 2016 11:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=revg84caSsGHSLHDMcpU/qmOzvM/lN6g4+UfSMm2Nho=; b=iXWCTT3HgKs5Yb93hevoF1anKAJ9KzBA02cpWfppvP5hN4NndEt702DtcN0fm919iH x2GjwzYDAv33LLCNRlHojc/5LnfWQgHu4p/Dz4YlAoKwpBcB2/t92NihNFv89g1BGiO9 frLIbjdwoCDeL/KdnLlcuyTl+msiOoBC8hnhm2bkAlaNe4qi66iGrVNDQof5aP7Xnj1T VdBatZiiAA4SFfpAh14tPlFEiWl0WFV9n1UXS0qZV5vS1zmDATGrl6jP/3Y2sK0Zb4hu iwj7iragEn98i+DrGU7oDWSuOxDVh8U42I3kaqHDC1cRsjDMhxLlFLDXOn657nMKwD38 Q8/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=revg84caSsGHSLHDMcpU/qmOzvM/lN6g4+UfSMm2Nho=; b=FE1JXUn3ZPeIQtr3G3btULzbuL7yoYmb90gyHA0teZ8vylyG6tUA4FlXwQhSXmkDtI Ad3IdazVkYvJjarj7DnMNnwXOLR3+R5C6UQVWUJU2EZgkjnxTFirPLsuHnU/mocwLSqk 4co1MXbhkC/qt2Lqz/k9FjH6p/B1z+NYLVC5C0Ux3P75qgZi3pOdHDUl+XK5zMoIYV10 67FX5FLIX7RCJRDOMkoPYYphhY68AGXkHIfGsqkjj5YGdNRuQfUUbuT2AB7Cw++M7AdN +n0XwwY9pOx23oNatH2mOCV4K4TNSV/XZzJxxV+pp+BiiNtAOCjSIZW2iT1/ic2/XKbZ jjfw== X-Gm-Message-State: AOPr4FU82zYWSdJ9NRW1sMXZGCvUtGpemQpjl/ilFLiqFqPwDP17J18PXPo7XlrPXvMubg== X-Received: by 10.112.160.231 with SMTP id xn7mr5056814lbb.4.1463250398357; Sat, 14 May 2016 11:26:38 -0700 (PDT) Received: from [192.168.0.104] ([46.216.17.194]) by smtp.gmail.com with ESMTPSA id q1sm3786851lbo.4.2016.05.14.11.26.36 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 14 May 2016 11:26:37 -0700 (PDT) Subject: Re: State of native encryption in ZFS To: Jordan Hubbard References: <5736E7B4.1000409@gmail.com> <0CE6E456-CC25-4AED-A73E-F5BBE659F795@mail.turbofuzz.com> Cc: freebsd-fs@freebsd.org From: Ruslan Yakauleu Message-ID: <57376DDB.9070409@gmail.com> Date: Sat, 14 May 2016 21:26:35 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <0CE6E456-CC25-4AED-A73E-F5BBE659F795@mail.turbofuzz.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2016 18:26:40 -0000 On 14.05.2016 21:03, Jordan Hubbard wrote: >> On May 14, 2016, at 1:54 AM, Ruslan Yakauleu wrote: >> >> I wish to know somethign new about native encryption in ZFS for FreeBSD. >> Any works in this direction are conducted? > Short and simple answer: No. > > We also recently talked to Matt Ahrens (essentially the OpenZFS “project lead” and who determines what goes upstream) at the FreeBSD Storage Summit and he expressed very little interest in “native encryption” for ZFS, seeing little to no benefit (for what would be a lot of engineering work) in doing it at the ZFS layer vs simply continuing to use the GELI encryption at the block-device layer that FreeBSD already supports. > > It’s not even clear how that encryption would be implemented or exposed. Per pool? Per dataset? Per folder? Per file? There have been requests for all of the above at one time or another, and the key management challenges for each are different. They can also be implemented at a layer above ZFS, given sufficient interest. > > - Jordan > It is sad. Solution with GELI can't be moved to other machine if some troubles come. Or to other OS. Or from other OS (from Solaris with native encryption, from Linux with LUKS). Too many time need to return any data from HDD if something happens. Also reliability decreased too (more refusal points). I hope in the future ZFS will be one of most stable and portable FS. Best regards, Ruslan Yakauleu